Static Analyzer "Uninitialized argument value checks for Unions"

In the CallAndMessageChecker.cpp, is it possible to implement checks for uninitialized unions?

E.g., for the following example, I do not get any static analysis report even if the union ‘uoff’ is passed uninitialized to the function ‘bar’.


typedef union {

uint32_t Reg;

struct {

uint16_t Cx;

uint16_t sf;


} tf;

typedef struct {

uint16_t i;

uint16_t j;

} st;

int bar(tf, tf, st);

int foo(tf t0, int32_t offset) {

tf uoff;

st s;

s.i = 10;

s.j = 100;

return bar(t0, uoff, s);



Hi, Aditya. The static analyzer currently has some trouble with unions because it (a) treats certain symbolic values as typed, and (b) distinguishes certain symbolic memory regions by field name. Historically, unions have caused much difficulty, so there are a number of places (largely in RegionStore.cpp) that say "if this is a union, treat it as unknown opaque memory".

Our current model for RegionStore, which uses offsets from the complete object region whenever possible, actually has a good chance of handling unions well, but nobody's taken the time to turn support back on and verify that nothing breaks, either in our test suite or in real-world projects.

So unfortunately I can't recommend any course of action here. I haven't thought about the problem in a while, so I don't have all the necessary concerns paged in, but basically IIRC it's a nontrivial problem to get even initialized vs. uninitialized working for unions in RegionStore. It's not just CallAndMessageChecker's fault.

Sorry for the bad news,

Hi Jordan,

Thanks for the reply.

I was trying to figure out if Uninitialized union members can be tracked by saving the ProgramState into some map<SymbolRef, SymState> as it is done in the SimpleStreamChecker.cpp.


union {

int a;

int b;

} ab;

int foo(ab o);

int bar() {

ab obj;

obj.a = 100;



So I can save `obj.a’ as a SymbolRef in a map<SymbolRef, SymState>.

The problem I’m facing is that I don’t know how to get the SymbolRefs of all the members (obj.a and obj.b in this case) when I encounter the function call foo’, so that I can do the arithmetic and figure out that obj’ is completely initialized in this case.